A North Korean-linked threat actor known as Sapphire Slate is estimated to have stolen more than $10 million worth of cryptocurrency as part of social engineering campaigns over a six-month period.
This Results It came from Microsoft, which said several threat activity clusters with ties to the country have been observed creating fake profiles on LinkedIn, recruiting to generate illegal income for the sanctioned country. have emerged as both job-doers and job-seekers.
Sapphire Sleet, known to be active since at least 2020, overlaps with hacking groups tracked as APT38 and BlueNoroff. In November 2023, the tech giant Disclosure that the threat actor had established infrastructure that impersonated skill assessment portals to carry out its social engineering campaigns;
A key tactic the group has adopted for more than a year is to pose as a venture capitalist, fraudulently claiming an interest in a target customer’s company to set up an online meeting. Targets who are baited and attempt to connect to a meeting are shown error messages urging them to contact the room administrator or the support team for assistance.
If the victim reaches the threat actor, they are sent either an AppleScript (.scpt) file or a Visual Basic Script (.vbs) file that is used by the operating system to resolve the connection issue. is
Under the hood, the script is used to download malware onto a compromised Mac or Windows machine, which ultimately allows attackers to obtain credentials and cryptocurrency wallets for later theft.
Sapphire Sleet has been identified on LinkedIn as a recruiter for financial firms such as Goldman Sachs to reach out to potential targets and ask them to complete a skills assessment hosted on a website they control. .
“The attacker sends the target user the sign-in account and password,” Microsoft said. “In signing into the website and downloading the code associated with the skill assessment, the target user downloads malware onto their device, giving attackers access to the system.”
Redmond also characterizes North Korea. Sending thousands of IT workers abroad As a triple threat that makes money for the government through “legitimate” work, allows them to abuse their access to seize intellectual property, and Facilitates data theft for ransom..
“Because it’s difficult for a person in North Korea to sign up for things like a bank account or phone number, IT workers must use facilitators to help them gain access to platforms where they can. Can apply for remote jobs.” “These facilitators are used by IT workers for tasks such as creating an account on a freelance job website.”
This includes creating fake profiles and portfolios on developer platforms like GitHub and LinkedIn to communicate with recruiters and apply for jobs.
In some instances, they have also been found using artificial intelligence (AI) tools such as Faceswap to edit photos and documents stolen from victims or display them in the background of professional-looking settings. . These photos are then used on resumes or profiles, sometimes for multiple personalities, that are submitted for job applications.
“In addition to using AI to help create images used with job applications, North Korean IT workers are experimenting with other AI technologies such as voice-altering software,” Microsoft said.
“North Korean IT workers appear to be very organized when it comes to tracking payments received. In total, this group of North Korean IT workers earned at least US$370,000 for their efforts. are.”